Malware Analysis Report

2024-11-30 05:28

Sample ID 240711-eg386axglk
Target !~!SetUp_2025_Pa$$W0rd$s!!%!~.zip
SHA256 6c81b1592687b97ae97b015440c1664396933b9cee5ea87c6ffd26cb30f255d1
Tags
lumma stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6c81b1592687b97ae97b015440c1664396933b9cee5ea87c6ffd26cb30f255d1

Threat Level: Known bad

The file !~!SetUp_2025_Pa$$W0rd$s!!%!~.zip was found to be: Known bad.

Malicious Activity Summary

lumma stealer

Lumma Stealer

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Opens file in notepad (likely ransom note)

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Checks processor information in registry

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-11 03:55

Signatures

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-07-11 03:55

Reported

2024-07-11 03:58

Platform

win10v2004-20240709-es

Max time kernel

96s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

Lumma Stealer

stealer lumma

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 732 set thread context of 4528 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 bittercoldzzdwu.shop udp
US 172.67.134.113:443 bittercoldzzdwu.shop tcp
US 8.8.8.8:53 bouncedgowp.shop udp
US 172.67.214.52:443 bouncedgowp.shop tcp
US 8.8.8.8:53 bannngwko.shop udp
US 104.21.81.196:443 bannngwko.shop tcp
US 8.8.8.8:53 bargainnykwo.shop udp
US 8.8.8.8:53 113.134.67.172.in-addr.arpa udp
US 8.8.8.8:53 52.214.67.172.in-addr.arpa udp
US 8.8.8.8:53 196.81.21.104.in-addr.arpa udp
US 104.21.47.93:443 bargainnykwo.shop tcp
US 8.8.8.8:53 93.47.21.104.in-addr.arpa udp
US 8.8.8.8:53 affecthorsedpo.shop udp
US 172.67.135.137:443 affecthorsedpo.shop tcp
US 8.8.8.8:53 radiationnopp.shop udp
US 172.67.196.169:443 radiationnopp.shop tcp
US 8.8.8.8:53 137.135.67.172.in-addr.arpa udp
US 8.8.8.8:53 answerrsdo.shop udp
US 172.67.203.63:443 answerrsdo.shop tcp
US 8.8.8.8:53 publicitttyps.shop udp
US 172.67.134.88:443 publicitttyps.shop tcp
US 8.8.8.8:53 169.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 63.203.67.172.in-addr.arpa udp
US 8.8.8.8:53 benchillppwo.shop udp
US 104.21.81.128:443 benchillppwo.shop tcp
US 8.8.8.8:53 steamcommunity.com udp
US 8.8.8.8:53 88.134.67.172.in-addr.arpa udp
US 8.8.8.8:53 128.81.21.104.in-addr.arpa udp
GB 23.214.143.155:443 steamcommunity.com tcp
US 8.8.8.8:53 reinforcedirectorywd.shop udp
US 104.21.83.48:443 reinforcedirectorywd.shop tcp
US 8.8.8.8:53 155.143.214.23.in-addr.arpa udp
US 8.8.8.8:53 48.83.21.104.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/732-0-0x00000000744B0000-0x00000000744C4000-memory.dmp

memory/732-1-0x00007FFE06510000-0x00007FFE06705000-memory.dmp

memory/732-6-0x00000000744B0000-0x00000000744C4000-memory.dmp

memory/732-5-0x00000000744C2000-0x00000000744C4000-memory.dmp

memory/732-7-0x00000000744B0000-0x00000000744C4000-memory.dmp

memory/4528-10-0x00000000744B0000-0x00000000744C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8ff0c78a

MD5 e3ac52c728074bfb1af75124bd7e0b71
SHA1 5dcdf46b2c7e35b342784388d09b5ab030103e5c
SHA256 b453f86b147e78ba0f4ce1009b2962e52aefbf00dcf8590f96c5e248e32e7e67
SHA512 609df55e6dce9c55e904f3513dd897eb97d8d42d268b629352fefa74382ec4afc53b8579ea22b286ef4000a53182cd1c90aa9d6497b74cc9278acdd9fc48a449

memory/4528-12-0x00007FFE06510000-0x00007FFE06705000-memory.dmp

memory/4528-13-0x00000000744B0000-0x00000000744C4000-memory.dmp

memory/4528-14-0x00000000744B0000-0x00000000744C4000-memory.dmp

memory/4528-16-0x00000000744B0000-0x00000000744C4000-memory.dmp

memory/1192-17-0x00007FFE06510000-0x00007FFE06705000-memory.dmp

memory/1192-18-0x0000000000850000-0x00000000008BB000-memory.dmp

memory/1192-19-0x000000000059B000-0x00000000005A2000-memory.dmp

memory/1192-20-0x0000000000850000-0x00000000008BB000-memory.dmp

memory/1192-21-0x0000000000850000-0x00000000008BB000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-07-11 03:55

Reported

2024-07-11 03:56

Platform

win7-20240708-es

Max time kernel

0s

Max time network

6s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\avenue.css

Signatures

Enumerates physical storage devices

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2700 wrote to memory of 1912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\NOTEPAD.EXE
PID 2700 wrote to memory of 1912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\NOTEPAD.EXE
PID 2700 wrote to memory of 1912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\NOTEPAD.EXE

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\avenue.css

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\avenue.css

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-07-11 03:55

Reported

2024-07-11 03:56

Platform

win10v2004-20240709-es

Max time kernel

2s

Max time network

6s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\avenue.css

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3036 wrote to memory of 3996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\NOTEPAD.EXE
PID 3036 wrote to memory of 3996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\NOTEPAD.EXE

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\avenue.css

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\avenue.css

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-07-11 03:55

Reported

2024-07-11 03:58

Platform

win7-20240704-es

Max time kernel

120s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dx9_43.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2788 wrote to memory of 2768 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2788 wrote to memory of 2768 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2788 wrote to memory of 2768 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2788 wrote to memory of 2768 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2788 wrote to memory of 2768 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2788 wrote to memory of 2768 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2788 wrote to memory of 2768 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dx9_43.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dx9_43.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-11 03:55

Reported

2024-07-11 03:57

Platform

win10v2004-20240709-es

Max time kernel

34s

Max time network

37s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\!~!SetUp_2025_Pa$$W0rd$s!!%!~.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\!~!SetUp_2025_Pa$$W0rd$s!!%!~.zip

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-11 03:55

Reported

2024-07-11 03:57

Platform

win7-20240708-es

Max time kernel

76s

Max time network

17s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\!~!SetUp_2025_Pa$$W0rd$s!!%!~.rar

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2512 wrote to memory of 2548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2512 wrote to memory of 2548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2512 wrote to memory of 2548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\!~!SetUp_2025_Pa$$W0rd$s!!%!~.rar

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\!~!SetUp_2025_Pa$$W0rd$s!!%!~.rar

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-11 03:55

Reported

2024-07-11 03:57

Platform

win10v2004-20240709-es

Max time kernel

3s

Max time network

11s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\!~!SetUp_2025_Pa$$W0rd$s!!%!~.rar

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\!~!SetUp_2025_Pa$$W0rd$s!!%!~.rar

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-07-11 03:55

Reported

2024-07-11 03:57

Platform

win10v2004-20240709-es

Max time kernel

34s

Max time network

41s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\heartthrob.doc" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\heartthrob.doc" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp

Files

memory/4356-0-0x00007FFBF20D0000-0x00007FFBF20E0000-memory.dmp

memory/4356-2-0x00007FFBF20D0000-0x00007FFBF20E0000-memory.dmp

memory/4356-1-0x00007FFBF20D0000-0x00007FFBF20E0000-memory.dmp

memory/4356-4-0x00007FFBF20D0000-0x00007FFBF20E0000-memory.dmp

memory/4356-3-0x00007FFBF20D0000-0x00007FFBF20E0000-memory.dmp

memory/4356-5-0x00007FFC320ED000-0x00007FFC320EE000-memory.dmp

memory/4356-7-0x00007FFC32050000-0x00007FFC32245000-memory.dmp

memory/4356-8-0x00007FFC32050000-0x00007FFC32245000-memory.dmp

memory/4356-9-0x00007FFC32050000-0x00007FFC32245000-memory.dmp

memory/4356-11-0x00007FFC32050000-0x00007FFC32245000-memory.dmp

memory/4356-13-0x00007FFC32050000-0x00007FFC32245000-memory.dmp

memory/4356-12-0x00007FFC32050000-0x00007FFC32245000-memory.dmp

memory/4356-14-0x00007FFBEFCA0000-0x00007FFBEFCB0000-memory.dmp

memory/4356-10-0x00007FFC32050000-0x00007FFC32245000-memory.dmp

memory/4356-6-0x00007FFC32050000-0x00007FFC32245000-memory.dmp

memory/4356-16-0x00007FFC32050000-0x00007FFC32245000-memory.dmp

memory/4356-15-0x00007FFC32050000-0x00007FFC32245000-memory.dmp

memory/4356-17-0x00007FFBEFCA0000-0x00007FFBEFCB0000-memory.dmp

memory/4356-26-0x00007FFC32050000-0x00007FFC32245000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-11 03:55

Reported

2024-07-11 03:56

Platform

win7-20240705-es

Max time kernel

14s

Max time network

18s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\!~!SetUp_2025_Pa$$W0rd$s!!%!~.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\!~!SetUp_2025_Pa$$W0rd$s!!%!~.zip

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-07-11 03:55

Reported

2024-07-11 03:58

Platform

win7-20240704-es

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2644 set thread context of 2824 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

Network

N/A

Files

memory/2644-0-0x00000000748B0000-0x0000000074947000-memory.dmp

memory/2644-1-0x0000000077860000-0x0000000077A09000-memory.dmp

memory/2644-6-0x00000000748B0000-0x0000000074947000-memory.dmp

memory/2644-5-0x00000000748C2000-0x00000000748C4000-memory.dmp

memory/2644-7-0x00000000748B0000-0x0000000074947000-memory.dmp

memory/2824-10-0x00000000748B0000-0x0000000074947000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1ecf251b

MD5 4ff9b3c87284e5d435149822d5a3696c
SHA1 a48e606667e30e0c72dc928a3902f0d4cdd2a7a8
SHA256 51eaf69a5e2299aafc413bd1e9f6482853b096ae9fba4473cfe91ce3d595111f
SHA512 a196f1c19b97ab8f69ed7ec6497f318e5e113c08e3869a3e7efad0ec547d0d82c3425920c7c2ec13abf741ee3f6384b0e10b171b0aee8906c35a2325d325688f

memory/2824-12-0x0000000077860000-0x0000000077A09000-memory.dmp

memory/2824-13-0x00000000748B0000-0x0000000074947000-memory.dmp

memory/2824-14-0x00000000748B0000-0x0000000074947000-memory.dmp

memory/2824-16-0x00000000748B0000-0x0000000074947000-memory.dmp

memory/2564-17-0x0000000077860000-0x0000000077A09000-memory.dmp

memory/2564-18-0x0000000000150000-0x00000000001BB000-memory.dmp

memory/2564-21-0x0000000000150000-0x00000000001BB000-memory.dmp

memory/2564-22-0x000000000044D000-0x0000000000455000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-07-11 03:55

Reported

2024-07-11 03:56

Platform

win10v2004-20240709-es

Max time kernel

35s

Max time network

40s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dx9_43.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4644 wrote to memory of 4672 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4644 wrote to memory of 4672 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4644 wrote to memory of 4672 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dx9_43.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dx9_43.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-07-11 03:55

Reported

2024-07-11 03:57

Platform

win7-20240708-es

Max time kernel

25s

Max time network

18s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\heartthrob.doc"

Signatures

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\heartthrob.doc"

Network

N/A

Files

memory/2740-0-0x000000002F1E1000-0x000000002F1E2000-memory.dmp

memory/2740-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2740-2-0x000000007398D000-0x0000000073998000-memory.dmp